Official Phoenix Discussion

Official discussion thread for Phoenix. Please do not post any spoilers or big hints.

anyone find any foothold

I found a vuln but it’s slow and i am not sure if it will merit any fruits

Was able to laterally move but sadly didn’t get any more privileges. Will keep hammering

Let me preface with a warning that I’m new and still learning but here are my thoughts/experiences:

Comment fields seem to be sanitized. Looks like you may need to have author privs.
My only thought is to throw rockyou at ph*ix and jsth but didn’t have luck after a couple hours.

Please share your opinions on my methodology and what you guys are thinking

Oh thats why the servers are so slow lol. I don’t think you have to brute force any logins. Enumeration of the running application should get you the foothold.

I didn’t get any further than that though.

Yeah, no brute forcing needed. But this is horribly slow, even when you know what info you’re after. I had to give up because things were taking too long trying to get some specific info. I wonder if I’m missing a better technique.

Got admin credential, but blocked by 2fa.

1 Like

Same here, I even got the OTP but it doesn’t work :man_shrugging:

Same point…
Got 3 creds / 2 require 2FA / 1 is not that interesting
Can’t yet bypass 2FA though… I think I know how to do it … but if anybody has any idea how to speed up the enumeration process…

… it’s so slow …

Same. i’ve verified that the http time skew is within tolerance.

After spending hours to find t…p, I did find it (in a weird place btw). but I systematically get ‘invalid code’ when I try to use it…
My box is in sync with the target
This is starting to bore me a great deal now… If someone has any idea?

Rooted. Thx a lot to @timrashed for your help

OTP seems to be a rabbit hole, which I think is a shame, it was a nice way to get in

3 Likes

Finally rooted the box, thanks @clure for the helps.

User is really hard for me. Root requires some enum but it’s easy to exploit.

Check carefully where the 2FA is used.

2 Likes

Great hint! thanks.

Finally got foothold. annoying 2FA (again).

1 Like

Thx for the HInt Guys!

im stuck on the 2FA part. i read in the treath that the 2FA/OTP is a dead end?

any pointers as to how to proceed? i have the admin creds, but cannot bypass 2FA.

thanks

stuck on 2fa part too, any nudge to right direction would be appreciated!

Got admin credentials for the site, but I am stuck on the 2FA part. Could someone give me a nudge please?

Been doing some enumeration using that one vulnerability, but I feel like I’m going down a rabbit hole.

Rooted the box, definitely a lot of steps to this one and it is tricky.

Foothold: Enumerate the app very thoroughly, check as much about the app as possible. A few specific things will stick out. Some tools may not tell you everything. These will help you get by 2FA, and other things that come later.
User: Once you actually get a shell, thoroughly enumerate the box you should noticed a few things that will stick out. Check this against a file that might be hindering you from straight up switching to the user right off the bat.
Root: This one is really interesting, it’s definitely a twist on an old classic. You may want to get to the core of things.